In this chapter, we looked at the
topics in the third domain of the Security+ exam, Infrastructure Security.
The chapter covers everything from physical components to applications
 all the components that are likely to be part of your network
infrastructure.

Devices

Devices you learned about include:

Firewalls, which protect an internal network
from the outside world; more about these later in this summary.

Routers, the traffic directors of the
Internet at the Network Layer, which connect networks, forwarding packets
between them; you can limit sniffing by using routers to send to a subnet
only the traffic required to be on it, and use Access Lists to control
traffic passing through routers based on source IP address, destination
IP address, port number, direction and other characteristics.

Switches, which direct traffic at the
Data Link, or MAC, Layer, forwarding to subnets only required traffic
in order to minimize opportunities for sniffing; unlike hubs, they do
not automatically make a packet appearing at one switch port, available
to the connections on all other switch ports.

Wireless, which implements network connectivity
without the need for physical connections; due to the current state
of the most common 802.11-based wireless protocols, access control and
the sniffing of unencrypted wireless network traffic are security concerns.

Modems, which allow users to connect to
your network from outside it, may allow users to bypass security if
dial-ins are not restricted by a firewall or VPN as with connections
to your network from outside on the Internet; you can limit access to
your modem pool by using call-back technology, but attackers can sometimes
defeat this by using call-forwarding.

RAS, which stands for Remote Access
Services, discussed in Section 2, that authenticates users connecting
to the network from a remote location and allows them network resource
access; it can use many authentication mechanisms, including CHAP and
MS-CHAP (considered more secure), and PAP and SPAP (considered less
secure); RAS attempts should be logged so that you have a record of
successful and unsuccessful connections.

Telecom/PBX, which is becoming more of
an issue as more organizations combine computers and telephony, possibly
even integrating them with IP telephony; phone networks have similar
security concerns as data networks, and in some cases, less security;
you should change all default passwords on your PBX, limit administrative
access permissions to locations requiring physical access to the administrative
console, and be on guard for social engineering attempts.

VPNs, Virtual Private Networks, which
allow you to simulate a private network over a public network through
secure authentication and data encryption; VPNs are a cost effective
alternative to dedicated private networks, and may be used to protect
services used by both internal and external users; VPNs can be
used internally to provide an extra level of security for sensitive
transactions such as payroll; VPN security vulnerabilities include susceptibility
to Internet traffic interruptions and flakiness, lack of encryption
of some packet fields such as source/destination address under some
VPNs, susceptibility to DoS attacks, and configuration challenges.

IDS, Intrusion Detection Systems, which
detect attempts to break into or misuse a system or network; attacks
they can detect include network scans, packet-spoofing, DoS and other
common script-kiddie attacks, unauthorized service connection attempts,
malformed packets, changed system files and improper activities; an
IDS should be placed on your network anywhere you want to monitor for
suspicious activities.

Network monitoring/Diagnostic Tools, which
include tools working at low layers such as TDRs and SNMP-enabled
devices like switches, as well as higher-level tools that monitor packet
traffic, capture network configuration information, and scan a network
or system for open ports; SNMP is the Simple Network Management protocol,
used to query devices for information and sometimes alter parameters;
because SNMP traffic is very vulnerable to sniffing, and its community
name authentication is insecure, we recommend that you disable
it unless you can configure your devices to use the more secure SNMPv2.

Workstations, which are the machines your
networks users employ to get their work done, and often the source
of troubles like viruses spread by users opening email attachments,
staff installing and running unauthorized applications, not adequately
securing their machines when away from them, using insecure passwords,
or hooking a modem up to their PC for access from home; other issues
include the ability to boot the workstation into an OS that
allows direct access to disk contents, the ability to change BIOS information,
and theft.

Servers, which usually run services used
by many client users, are a security priority; theyre also a hacker
target because of the importance of the data they hold, or functionality
they offer the network; placing a server in your internal network is
no guarantee against attack, since some attacks originate internally;
if uptime is a concern, consider adding a UPS or generators, or even
implementing a clustered system with multiple redundant
high-availability hardware components such as RAID arrays and hot-swappable
devices.

Mobile Devices, which span from Pocket
PC and Palm handhelds, to RF scanners and notebooks, are those items
on your network which typically arent restricted to just one location;
because of their portability, you are advised to set a password on the
device if possible, encrypt data stored on the device, and consider
encryption for any wireless networking to minimize the potential for
loss of confidential data; because these devices move around a lot,
they are also vulnerable to loss of the units themselves and data corruption,
so upload collected data from the mobile device to your network as soon
after collection as possible.

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!